US is shoring up gaps in cyber policy, but critical goals remain unfulfilled
Sen. Angus King, I-Maine, said the Cyberspace Solarium Commission was a bipartisan success and led to several key initiatives that helped strengthen U.S. national security amid a growing threat landscape, speaking on a panel at the Billington CyberSecurity Summit in Washington D.C. on Thursday.
The CSC, created under the National Defense Authorization Act of fiscal 2019, was a bipartisan group that included four members of Congress, as well as members of the executive branch and private sector. CSC was designed to make recommendations as part of a comprehensive cyber defense strategy.
King, co-chair of CSC, cited a number of key successes from the CSC, including the appointment of Chris Inglis as national cyber director as well as efforts to strengthen the Cybersecurity and Infrastructure Security Agency as the nation’s top agency for cybersecurity. Upwards of 60% of the commission’s recommended goals have been realized, officials said.
From the outset King, alongside CSC Co-chair Rep. Mike Gallagher, R-Wis., emphasized that the goal to strengthen cybersecurity would not be a partisan exercise.
“Whenever you join a commission, you never know where it’s going to go, and whether it’s going to wind up on a shelf somewhere,” King said. “Whether it’s going to be something that says, ‘ok nice commission, there you go.’ We’ve had a real impact I think.”
Policy analysts said the commission did make significant progress in helping implement key goals, but they caution a lot of work remains in terms of key recommendations that have yet to be reached.
“It is critical that studies like the commission be ongoing and that practices be regularly reassessed, rather than a one time process,” said Brandon Pugh, senior fellow and policy counsel, cybersecurity and emerging threats at the R Street Institute. “This requires cooperation by those both in and out of government.”
One key recommendation that still needs urgent momentum is a federal law on data privacy and security, Pugh said in an email.
Stacy O’Mara, senior director, government affairs at Mandiant, said the current CSC 2.0 project, which is run by a nonprofit organization, will be an important part of the public-private partnership that is needed to think through current challenges facing policymakers, including securing the nation’s cybersecurity from nation-state attacks and protecting critical infrastructure.
“There’s still much work to be done on cyber and our policy stakeholders will continue to benefit from the mind hive of this organization, especially as they think through how to combat cyber threats to important sectors like water and healthcare and developing a stronger cyber workforce,” O’Mara said via email.
A key recommendation of the commission that needs to move forward is the creation of a Bureau of Cyber Statistics, according to Suzanne Spaulding, senior adviser, homeland security at the Center for Strategic and International Studies.
Such data would help bolster the cyber insurance market, Spaulding said, and CISO’s would be able to present the data to their boards to demonstrate a return on investment.
In the near term, King said the Senate Foreign Relations Committee will be taking a look at the Cyber Diplomacy Act.
The State Department has launched the Bureau of Cyberspace and Digital Policy as a venue to promote diplomatic engagement to strengthen alliances and help establish international norms in the realm of cyberspace.
Just last month, Nathaniel Fick, the nominee for Ambassador at Large for Cyberspace and Digital Policy, told lawmakers on the Senate Foreign Relations Committee the U.S. must take a leading role in this effort to prevent authoritarian regimes from using malicious cyber as a weapon against democratic norms.
Gloss